windows azure security & compliance
DESCRIPTION
Session at the Windows Azure UK User Group around Lessons Learned on Windows Azure Security and ComplianceTRANSCRIPT
www.aditi.com
Windows Azure Security & Compliance
NUNO GODINHO – DIRECTOR OF CLOUD SERVICES, EUROPE @ ADITI TECHNOLOGIES
www.aditi.com
About MeNuno Filipe GodinhoDirector of Cloud Services, Europe @ Aditi Technologies
Windows Azure MVP
http://msmvps.com/blogs/nunogodinhoTwitter: @NunoGodinho
www.aditi.com
WINDOWS AZURE SECURITY
WINDOWS AZURE COMPLIANCE
LESSONS LEARNEDAGENDA
SUMMARY
www.aditi.com
WINDOWS AZURE SECURITY
4
www.aditi.com
Basic Cloud Security Concerns
• Where is my data located?• Is the Cloud Provider secure? • Who can see my Data?• How do you make sure my company data follow “the rules”?• Can I have my Data back?• Can I have compliant applications in the Cloud?
www.aditi.com
Security is Multi-Dimensional
• Solutions to be secured should consider all security aspects
• How does people treat sensative data?Human• DB Hardening, Cryptography, PermissionsData• Design and Implement Security Best
PracticesApplication• OS Hardening, Regular PatchingHost• Firewall, VLANS, Secure Channels, ...Networking• Who can access my servers?Physical
www.aditi.com
Data
Defense in Depth Approach
Physical
Application
Host
Network
Strong storage keys for access control SSL support for data transfers between all parties
Front-end .NET framework code running under partial trust Windows account with least privileges
Stripped down version of Windows Server 2008 OS Host boundaries enforced by external hypervisor
Host firewall limiting traffic to VMs VLANs and packet filters in routers
World-class physical security ISO 27001 and SAS 70 Type II certifications for datacenter processes
Layer DefensesWindows Azure Security Layers
www.aditi.com
Physical Security
• Physical Data Center SSAE 16/ISAE 3402 Attestation and ISO 27001 Certified
• Motion Sensors• 24x7 protected Access• Biometric controlled access systems• Video Camera surveillance• Security breach alarms
www.aditi.com
Built in Firewalls
• All Traffic travels through several firewalls– Fabric Controlled
• Host VM• Local Firewalls
– Service Owner Controlled• Guest VM Firewall• SQL Database Firewall
www.aditi.com
Windows Azure Security LayersManaged Code Access Security: partial trustWindows Account: running with least privilegesWindows FW (VM): rules based on service modelVirtual Machine: fixed CPU, memory, disk resources
Root Partition Packet Filter: defense in depth against VM “jailbreaking”
Network ACLs: dedicated VLANS for tenant nodes
www.aditi.com
Defenses Inherited by Windows Azure Platform Applications
Spoofing Tampering/ Disclosure
Elevation of Privilege
Configurable scale-out
Denial of Service
VM switch hardening
Certificate Services
Shared-Access Signatures
HTTPS
Side channel protections
VLANs
Top of Rack Switches
Custom packet filtering
Partial Trust Runtime
Hypervisor custom sandboxing
Virtual Service Accounts
Repudiation
Monitoring
Diagnostics Service
Information Disclosure
HTTPS
Shared Access Signatures
www.aditi.com
WINDOWS AZURE COMPLIANCE
12
www.aditi.com
ISO/IEC 27001:2005 Certification
SAS 70 Type I and II attestations (Transitioning to SSAE 16/ISAE 3402 SOC 1, 2, and 3)
HIPAA/HITECH
PCI Data Security Standard Certification
FISMA Certification and Accreditation
Various State, Federal, and International Privacy Laws (95/46/EC—aka EU Data Protection Directive; California SB1386; etc.)
Microsoft Cloud Infrastructure Compliance Capabilities
Microsoft Confidential – NDA Required
www.aditi.com
Windows Azure Compliance RoadmapProgram Description Status
EU-US Safe Harbor Framework
Legal transfer of data to Microsoft from within EU Done
ISO27001 Broad international information security standard Done(for core services)
SAS70 US accounting audit standard Replaced by SSAE16
SSAE16 (SOC 1 Type 2) Replacement for SAS70 Done(for core services)
FISMA/FedRAMP Required by law for US Federal agencies and looked on favorably by other government agencies
In progress
EU Model Clauses Robust commitment for handling EU personal data and transfer to US
Done(for core services)
HIPAA BAA Protected health information in the US Done(for core services)
Core Services: Cloud Services, Storage, Networking, Virtual Machines
Microsoft Confidential – NDA Required
www.aditi.com
LESSONS LEARNED
15
www.aditi.com
Quick Concepts
• Consider always the two areas of compliance:– Data in Transit
• Commonly delineated into two primary categories– data that is moving across public or “untrusted” networks such
as the Internet, – data that is moving within the confines of private networks
such as corporate Local Area Networks (LANs)– Data at Rest
• Commonly located on desktops and laptops, in databases and on file servers. In addition, subsets of data can often be found in log files, application files, configuration files, and many other places.
www.aditi.com
Lessons LearnedProcess for defining which Data Privacy Compliance is required
1. Assess your organizational structure to understand where your business is being conducted.
2. Know what rules apply to your organization, particularly when you have international locations.
3. Know what you need to encrypt. Any sensitive data types that need to be protected for regulatory compliance or to comply with internal policies and standards can be strong candidates for encryption. If you have a data classification policy, encrypt the most sensitive or critical category or two.
4. Locate Data at Rest that is housed in systems across the enterprise1. Databases2. File Shares and large-scale storage3. Email Systems4. Backup Media
17
www.aditi.com
5. Locate Data in Transit across network channels both within and outside the organization1. Assessing the data trajectory2. Gaining visibility into the network traffic itself
6. Decide how to handle Sensitive Data1. Eradication2. Obfuscation / Anonymize3. Encryption
18
Lessons Learned (cont.)Process for defining which Data Privacy Compliance is required
www.aditi.com
Penetration Testing
• Microsoft conducts regular penetration testing to improve Windows Azure security controls and processes
• Customers can execute Penetration Testing in Windows Azure. Are just required to get previous authorization from Microsoft through filling out a Penetration Testing Approval Form (http://bit.ly/WAPenTesting) and contacting Support.
19
www.aditi.com
SUMMARY
20
www.aditi.com
Summary
• Windows Azure is very secure– Top Level measure at all levels
• Windows Azure is compliant– Several of the most important compliances
• ISO 27001• SSAE 16/ISAE 2402 (SOC 1 Type 2)• HIPPA BAA
• Before starting leveraging Windows Azure understand– Data in Transit– Data at Rest
www.aditi.com
Resources
http://bit.ly/WATrustCenter
SecurityPrivacyCompliance
www.aditi.com
Resources
• Windows Azure Standard Response to Request for Information: Security and Privacy (Cloud Security Alliance) – http://bit.ly/WASecurityPrivacy
• Windows Azure Penetration Testing Approval Form – http://bit.ly/WAPenTesting
• Windows Azure Security – http://bit.ly/WASecurity
23
www.aditi.com
Web | Blog | Facebook | Twitter | LinkedIn